My experiences of outsourcing have been very mixed. Let's face it., most Boards Of Directors, CEOs, CFOs, and the like know little or nothing about IT in general and security in particular (I won't mention "networking"..........they would think you were proposing a fishing expedition in a trawler :D)

You can successfully outsource hardware support, and even applications support. I have seen numerous instances of this. I do NOT believe that you can outsource core activities such as security, business analysis and so forth. That needs to be done by your "men on the ground" or "field agents".............they understand the "business" and the personalities and the BUDGETS :(

The main (generic) problem with outsourcing is that IT spend becomes a direct cost, rather than an indirect overhead. Someone has to manage the budget for that spend............so you end up getting less, either through dilution (as already mentioned) or just plain diminution.

My main objection is that if you want to be sure that you are getting a proper job and the best "bang per buck" you are going to have to employ competent people to oversee or undertake the governance of the service provision..............these guys are the major part of your costs.

Someone mentioned HR (Human Remains?)............. :eek: .........but from that standpoint, if you outsource security, you lose control of the personnel involved, and that cannot be a good idea.

just my thoughts

August 24th, 2004, 12:31 PM

MURACU

In my experiance the biggest problem with outsourcing is getting the service you are paying for. As most of you know any contractor will give you the minimum service for the largest amount of money they can get away with. While outsourcing your helpdesk or even your first level local support team is fairly easy to manage as it is much easier to judge the quality of service by things like system down time, incident response time, cost of support per post ect, Where as, except for a very small minority, it is much harder for most people to judge the quality of a security solution.
It is also very hard to avoid the famous " That is not covered by the contract" statement especially in security where new threats are brought to light all the time.
These are a few quick oversimplified (because i dont have a lot of time right now) points that I consider important when it comes to any outsourcing deal.

1: When it comes down to comparing the different propositions for the contract I would drop straight away the lowest and highest bids.
2: In most contracts nowdays there are nearly always bounus and penalty clauses. They are there to be used.
3: You should never loose control of your IT infrastructure. Everything should be documented. I have seen cases where because something was outsourced the company though they didnt have to worry about it anymore.
4: There should be independant random audits. Especially for security. I have never seen a security firm who audited itself fail the audit.
5: I would aim for about a 2 year contract. If at the end of the two years you are happy then the signing is a formality but if you are not happy then it goes back on the market.
6: All decisions should be traceable. If something is decided on the telephone then a confirmation e-mail should follow.

Sorry if this isnt too clear, rushing it a bit, but in any case at the end of the day I would be against outsourceing something as central to a company as IT security. I would go for an internal team where possiable but as Nihil pointed out the decision is rarely made by people with a technical background for security reasons.

August 24th, 2004, 02:19 PM

cacosapo

Quote:

I am going rock climbing and I have the choice to pay extra so my lifelong friend who is also a very experienced rock climber(who has come on multiple rock climbing trips with me before) can come with me, or I save some money and hire a guide who says he knows the route and has had a lot of experience climbing before.

But if you know NOTHING about rock climbing, how can you know that your friend is better than the other one?

BTW, if you are getting your friend together, you are "outsourcing" your climbing, since you are trust that "a external person" will help you better than yourself.

I didnt say "i like outsourcing". But sometimes a company just haven't resources enough to take care of business, so what else to do except outsourcing?

Its so better having resource, but sometimes you must deal only with "windows 95"..

August 24th, 2004, 02:31 PM

Tiger Shark

Quote:

But if you know NOTHING about rock climbing, how can you know that your friend is better than the other one

That's irrelevant in the decision making process. You are expanding your "Ring of Trust" from yourself outwards. You know your friend and you know his abilities. Furthermore, since he is your friend there is already a level of trust and there should be a good "feeling" for whether or not the friend will be straightforward with you when something exceeds their ability to cope. If the feeling about that is positive then you have no choice but to go with your friend rather than with a complete stranger. You can then rely upon your friend to assist you using his knowledge to find an appropriate person to effectively manage your security, (rock climbing).

In the event where your feeling about your friend indicates that he may place himself "out of his depth" thus risking your assets, (neck), you can find an independent business consultant to assist you in finding an appropriate employee, (guide).

August 24th, 2004, 02:41 PM

nihil

Cacosapo,

Quote:

I didnt say "i like outsourcing". But sometimes a company just haven't resources enough to take care of business, so what else to do except outsourcing?

You have an excellent point there. When I read the thread, and making some assumptions from Tony's background, other site etc. I assumed a fairly large scale operation.

However, you brought it back to earth...........small companies frequently have no choice but to outsource, and at the individual level, I am sure that we all help friends and family; so we are outsourcees in a way? Even if all we do is download and set up a free AV and firewall, they have outsourced their security to us.

My point would be that corporate security is more complex, in that you are dealing with the enemy within, as well as the enemy without. In the larger corporate scenarios I feel that it is important to know the business intimately, if you are to perform core IT activities.

I don't like outsourcing to that depth:eek:

Cheers

August 24th, 2004, 02:46 PM

tonybradley

Quote:

That's irrelevant in the decision making process. You are expanding your "Ring of Trust" from yourself outwards. You know your friend and you know his abilities. Furthermore, since he is your friend there is already a level of trust and there should be a good "feeling" for whether or not the friend will be straightforward with you when something exceeds their ability to cope. If the feeling about that is positive then you have no choice but to go with your friend rather than with a complete stranger. You can then rely upon your friend to assist you using his knowledge to find an appropriate person to effectively manage your security, (rock climbing).

I agree with much of what Tiger has said in this thread. I also think that asking this question in a security forum builds in an inherent bias. Of course we all think nobody can do it as good as we can- that is what we get paid to do. But, to someone outside of IT or network security it may make perfect business sense.

It is more of a core function though. It is one thing to outsource payroll- it is what it is and there is no real "thought" that has to go into it. Companies "outsource" their housekeeping to janitorial services. They outsource their food service and vending to service providers. The trend for awhile was to outsource anything that wasn't part of the core values of the company. If you are Chrysler your job is to design and manufacture cars, not prepare food, empty the trash, fix the elevator or, arguably, secure the network.

Many companies outsource the actual helpdesk / field technician portion of IT- it is often more cut and dry. However, the design and implementation of network architecture- the IT itself and the security, is something that requires a deeper understanding of the company and requires a deeper commitment (and trust as Tiger keeps pointing out) than you might get from a 3rd-party vendor.

All of that said, the point I agree on here with Tiger is that if you ARE going to outsource, you are going to hire the company you know and trust. All things being equal you are more likely to hire your friend's company than Joe Smith's company because even if you know nothing about what they actually do, you have some level of trust in the character and integrity of your friend. If you are buying a car you are more likely to buy from someone you know- not only to help them make money, but because you trust them not to ***** you.

I think that for many small to medium businesses outsourcing is not only viable, but often unavoidable. If you only have so many people and so many dollars it may simply not be feasible to buy the equipment and hire the personnel to manage all aspects of network administration and security. In those cases I think that the company at least needs to hire one brilliant person to be CISO (chief information security officer) or something to that effect. They need one person who knows enough to evaluate and select the tools and services the company needs. They need one person who understands the business and how IT and network security mesh with and impact it so that intelligent decisions can be made about what to outsource and who to outsource it to.

Quote:

You have an excellent point there. When I read the thread, and making some assumptions from Tony's background, other site etc. I assumed a fairly large scale operation.

My inquiry is purely theoretical. I am really looking for viewpoints and opinions from which to build articles and such for my site and for freelance magazine writing that I do. Neither I, nor any company I work with, is actually in the market for this type of service right now. So, don't base any answers on how much you think my company (companies) might need or want outsourced security. I just want to know what everyone thinks of the concept and if anyone has any success or horror stories around managed security or even managed IT.

August 24th, 2004, 03:05 PM

cacosapo

Quote:

They need one person who knows enough to evaluate and select the tools and services the company needs. They need one person who understands the business and how IT and network security mesh with and impact it so that intelligent decisions can be made about what to outsource and who to outsource it to.

You just said all Tony. This is the current path for most (smart) companies. Keep few guys that understand it AND business to be the "interconnection" between outsourcers and company.

And Tiger, although your argumentation is good, my answer is... no...
I wont hire (contract) a friend just because i trust him but im not sure that he can take care of business.
I would prefer go to market and find someone that i trust AND can take care of stuff.
It is not a balance between trustworthy and knowledge. I think i need BOTH. If some has one but not another one, he/she wont fit. Just that.

Outsourcing is not a panacea. In fact, some of that actions (Ive joined some) conduced clients to disaster.

But we (IT guys) arent conducing business. we are a SUPPORT area.

So when VP balances IT Security ----------------------------x-----------------------More Revenue

what would he/she choose?

I ran an Infra structure area on a large company with a very small staff. Result? a mess. Lack of resources ----&gt; lazy security administration. After I ve contracted a girl (thru outsourcing) to help and sec stuff. Nowadays, that company has a totally outsourced security team. Good? yes. I would prefer to have a "in" security team? yes, but i didnt have that choice.

August 24th, 2004, 03:06 PM

jinxy

Personaly, i think it all boils down to the personality of the company in the end. Some companies want to own every asset outright and some want to hire or lease everything. Some companies will always invest in the latest and greatest, some will make what ever they are using last.

Infosec is no different than any other part of a companies costs, whether it is outsoursed or kept in house, will probably be determind by the ethos of the company. Or perhaps the beancouters, of which i no of none that can see further than the quaterly profit and loss report.

August 24th, 2004, 03:23 PM

nihil

Tony,

Quote:

Neither I, nor any company I work with, is actually in the market for this type of service right now. So, don't base any answers on how much you think my company (companies) might need or want outsourced security

I didn't think that you were............are you still at allexperts.com, or have you moved on?

Quote:

I just want to know what everyone thinks of the concept and if anyone has any success or horror stories around managed security or even managed IT.

Well I know of plenty of horror stories regarding outsourcing the IT function as a whole, but I expect that concept to be dead in 10 years except for small outfits who cannot afford full-time resources. Effectively they have always "outsourced", but I prefer to think of that as "sharing"

I can remember the days of computer bureaux :D they are as rare as rocking horse sh1t nowadays, so I look on outsourcing with some cynicism.

As for "trust"...........well, in God I trust, the rest of you pay cash up front :D

Cheers

August 24th, 2004, 04:08 PM

tonybradley

Quote:

I didn't think that you were............are you still at allexperts.com, or have you moved on?

Funny you should ask. I signed up as an "expert" at allexperts.com YEARS ago. Never heard much of anything from them. Then - I signed on to be the Guide of the About.com site for Internet and Network Security. Only after the fact did I learn that at some point About.com or their parent bought AllExperts.com so the companies are under the same roof now.

I have a day job, plus the About.com netsecurity site, plus doing freelance writing for Processor Magazine (and one gig I did back in the spring for JiWire.com) and I have two book deals- one in editing now and one yet to be started.